Malware caused India’s biggest debit card data breach: Audit report


The largest data breach in India’s banking system, which affected nearly 3.2 million debit cards in 2016, was caused by a malware injection in its systems, said Hitachi Payment Services Pvt. Ltd—the firm at the centre of the security breach. It said it didn’t know how much data was compromised.

Hitachi’s admission comes after payment and information security specialist, SISA Information Security Pvt. Ltd completed its audit of the payment services firm.

While the debit card data was compromised between 21 May and 11 July last year, it was not until September that the banking system became aware of this large-scale data breach that happened on Yes Bank’s ATM network managed by Hitachi.

“The malware, being sophisticated in its design, had been able to work undetected and had concealed its tracks. While the behaviour of the malware and the penetration into the network has been deciphered, the amount of data breached during the compromise period can’t be ascertained due to secure deletion by the malware,” said Hitachi in a statement.

SISA confirmed the malware captured both the debit card number and PIN of customers who used their cards at the affected ATMs. However, financial losses were contained because the card issuing banks blocked cards and advised some customers to change their debit card PIN.

Yes Bank declined to comment in the matter.

“The reason why such cyber attacks are happening today is because of the ineffective implementation of the payment security standards. Organizations need to pay a lot more emphasis to this than they currently do. It’s not the check-the-box approach which has been traditionally followed,” Dharshan Shanthamurthy, founder and CEO of SISA, said.

“This happened to be one such incident. With demonetization, and with an increase in the number of digital payments, such attacks are going to get worse,” he warned.

Hitachi said it has enhanced its infrastructure to prevent such frauds in the future, but concerns remain about the cyber security preparedness of the banking system.

RBI deputy governor S.S. Mundra in a 1 February speech had pointed to the need to continuously guard against such malware attacks and also report such incidents on a real-time basis.

The Hitachi breach was first detected after few banks raised an alarm over the fraudulent use of their customers’ cards in China and the US, while these customers were in India.

According to the National Payment Corp. of India, which manages RuPay cards, some 641 customers had reported losses worth Rs1.3 crore.

The SISA report comes a day after the Reserve Bank of India appointed an inter-disciplinary standing committee on cyber security.

This committee will review threats inherent in existing and emerging technology, study adoption of various security standards and protocols, interface with stakeholders and suggest appropriate policy interventions to strengthen cyber security and resilience.